b'  Audit of NARA\'s Processing of \n\nMilitary Personnel Record Requests \n\n       OIG Report No. 09-16 \n\n\n\n\n\n        September 30, 2009 \n\n\x0c                                                                              OIG Audit Report No. 09-16\n\n\n\nEXECUTIVE SUMMARY\nThe National Personnel Records Center (NPRC) maintains the personnel and medical\nrecords of nearly all former members ofthe U.S. military service departments who served\nduring the twentieth century. Approximately 80 percent ofthe records maintained by the\nNational Archives and Records Administration (NARA) are the property ofthe\nDepartment of Defense, which reimburses NARA for storing and servicing the records.\nThe remaining 20 percent have been accessioned as permanent records of the United\nStates and are owned by NARA. In FY 2008, NARA\'s National Personnel Records\nCenter (NPRC) had military service records for more than 56 million veterans. These\nrecords contained such documents as enlistment contracts, duty locations, performance\nevaluations, award citations, training records, and the Report of Separation (DD Form\n214 or earlier equivalent)l. NPRC responds to more than one million requests a year\nfrom veterans and their family members for information contained in the Official Military\nPersonnel Files (OMPF).\n\nFor this audit, we assessed the management controls over the processing and distribution\nof veterans\' record requests. Specifically, our review focused on whether the process\nwas sufficient to properly safeguard veteran\'s information in accordance with the Privacy\nAct.\n\nSafeguarding PH in the possession of the government and preventing its breach are\nessential to ensure the government retains the trust of the American pUblic. The Privacy\nAct of 1974 required agencies to establish appropriate administrative, technical and\nphysical safeguards to ensure the security and confidentiality of records and to protect\nagainst any anticipated threats or hazards to their security or integrity which could result\nin substantial harm, embarrassment, inconvenience, or unfairness to any individual on\nwhom information is maintained.\n\nWe found that while NPRC has taken action to heighten the awareness of staff to\nerroneous disclosures 2 of veteran\'s information, controls over the processing of veteran\'s\nrecord requests need to be strengthened in order to properly safeguard veteran\'s PII.\nNPRC relies on an automated case management system to track and process both\nelectronic and mail-based inquiries from receipt through fulfillment and closure. The\nsystem has significantly reduced the amount of time it takes NPRC to respond to a\nveteran\'s record request, however, vulnerabilities in the system leaves veteran\'s personal\ninformation susceptible to unauthorized disclosure and jeopardizes the integrity ofthe\ninformation stored in the system. We also found that additional safeguards are needed in\norder to protect veteran\'s PH in paper form and to ensure that persons requesting access\nto records have the proper authorization to obtain those records.\n\n\n\n1 The Report of Separation contains information such as dates and character of service, fmal rank, awards \n\nearned, and military occupation specialty. It is a key to obtaining veteran\'s benefits such as home loans, \n\ncivil service appointments, education, training, and medical care. \n\n2 According to NPRC, an erroneous disclosure happens when a technician dispatches a response without \n\nproperly verifying that the subject of the record matches the subject of the request or when a technician \n\ninadvertently switches response documents among service requests assigned to them. \n\n\n                                               Page 1\n                            National Archives and Records Administration\n\x0c                                                                      DIG Audit Report No. 09-16\n\n\nThis report contains 14 recommendations which upon implementation will assist NARA\nin providing appropriate administrative, technical, and physical safeguards over PH as\nrequired by the Privacy Act.\n\n\n\n\n                                          Page 2\n                       National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\nBACKGROUND\nThe National Personnel Records Center (NPRC) maintains the personnel and medical\nrecords of nearly all former members ofthe U.S. military service departments who served\nduring the twentieth century, and responds to requests for these records. Most of the\nrecords maintained by NARA are the property ofthe Department of Defense (DoD),\nwhich reimburses NARA for storing and servicing the records. In 2004, DOD and the\nArchivist of the United States signed an agreement making the Official Military\nPersonnel File (OMPF) a permanent record ofthe United States. In subsequent\nagreements, it was decided that an OMPF becomes archival and ownership transfers from\nDoD to NARA 62 years after the subject of the record was discharged or retired, or died\n.       .\nIII servIce.\n\n\nNPRC receives approximately 4,000 requests per day about OMPF. Many of these\nrequests come from veterans, their families, or organizations working on behalf of\nveterans to verify their military service, apply for benefits, or research medical\nconditions. More than 40 percent of the requests received ask for only a copy of the\nseparation document, the DD Form 214 or its predecessor forms which contains\nimportant information such as dates and character of service, final rank, awards earned,\nand military occupation specialty. Other popular requests are to obtain copies of health\nrecords, replacement or newly authorized service medals, records of one\'s own (or a\nfamily member\'s) military service, and verification for entitlement for burial in a national\ncemetery. NPRC responds to more than one million requests a year and strives to answer\nall requests within 10 working days because a veteran\'s ability to obtain ajob, housing,\nor medical care often depends on NPRC\'s ability to meet information needs quickly.\n\nFederal law requires that all requests for records and information be submitted in writing.\nEach request must be signed (in cursive) and dated within the last year. To request\nmilitary service records, veterans and the next of kin of deceased veterans may use one of\nthe following methods:\n\n    \xe2\x80\xa2   fill out an online request (using eVetRecs system);\n    \xe2\x80\xa2   mail or fax a Standard Form 180;\n    \xe2\x80\xa2   write a letter;\n    \xe2\x80\xa2   visit NPRC; or\n    \xe2\x80\xa2   hire an independent researcher.\n\nIn the FY 2008 Assurance Statement, NPRC officials reported they had increased their\nemphasis on protecting personal data but there were still 196 erroneous disclosures.\nAccording to NPRC officials, they take erroneous disclosures very seriously and when\nreported, will examine the circumstances surrounding the erroneous disclosure. When\ncarelessness is determined to be the root cause, the erroneous disclosure is addressed with\ndisciplinary actions. NPRC officials conducted a standardization review in FY 2008\nwhich observed core technicians at work to determine their level of compliance with\nseveral critical tasks. The critical tasks were identified as actions that, if not taken, would\nhave an extremely high likelihood of violating the Privacy Act, damaging record\nholdings, reducing the availability of essential documents, or providing a poor quality\n\n                                           Page 3\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\nresponse to the requester. An example of one critical task is that the technicians maintain\nonly one record at a time in their immediate work area which would help correct the\nproblem of technicians accidentally switching response documents among service\nrequests assigned to them.\n\nSafeguarding ofPII is important to protect individuals, maintain public trust and\nconfidence in an organization, protect the reputation of an organization and protect\nagainst legal liability for an organization. For Federal government agencies, the need to\nprotect PII was first established by the Privacy Act of 1974. The Privacy Act required\nagencies to protect PII and to establish appropriate administrative, technical and physical\nsafeguards to ensure the security and confidentiality or records and to protect against any\nanticipated threats or hazards to their security or integrity which could result in\nsubstantial harm, embarrassment, inconvenience, or unfairness to any individual on\nwhom information is maintained.\n\nOJECTIVE, SCOPE, METHODOLOGY\n\nThe objective ofthis audit was to assess the management controls over the processing\nand distribution of veterans\' record requests. Specifically, we determined whether the\nprocess was sufficient to properly safeguard veteran\'s information in accordance with the\nPrivacy Act and OMB policies.\n\nThe audit was conducted at the National Personnel Records Center (NPRC) in St. Louis,\nMO and at Archives II in College Park, MD, primarily with the Office of Regional\nRecord Services (NR) and the Office of Information Services (NH). We also contacted\nthe Acquisition Services Division (NAA) and the General Counsel\'s Office (NGC).\n\nIn support of the audit objective, we reviewed the Privacy Act of 1974 and OMB policy\nmemorandums on safeguarding PII. We also reviewed NARA policy and procedures for\nreleasing veteran records. We evaluated controls over the receipt of military personnel\nrecord requests, the processing of those requests, and the distribution of the requested\ninformation to ensure privacy information was not released to unauthorized individuals.\nWe evaluated controls in the Case Management and Reporting System (CMRS) to\ndetermine whether the controls were reasonable to protect the confidentiality of data\nagainst such risks as unauthorized access, modification, or disclosure of data. We also\nreviewed additional physical security controls in place to protect veteran\'s privacy\ninformation.\n\nWe interviewed NPRC officials, observed the process of receiving military personnel\nrecord requests and responding to those requests, examined technical and operational\ncontrols in the Case Management and Reporting System, and reviewed pertinent\ndocumentation to determine whether veteran\'s information is appropriately safeguarded.\n\nOur audit work was performed between January 2009 and August 2009. We conducted\nthis performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\n\n\n                                           Page 4\n                        National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-16\n\n\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                          Page 5\n                       National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\nFINDINGS AND RECOMMENDATIONS\n\n     Controls over Information in the Case Management and Reporting System\n\nOur review found that controls over information in CMRS were not adequate to\nsafeguard the confidentiality ofPII or the integrity of the information stored in the\nsystem. Specifically weaknesses exist in access controls, controls over data extracts\ncontaining sensitive PII, the protection of data stored on mobile devices, and the type of\nencryption used for remote access to the system. These weaknesses exist because NPRC\nofficials, as the system owner, did not implement effective controls. The Privacy Act of\n1974 requires NARA to maintain appropriate safeguards over the PII data stored in the\nsystem. As a result, NARA faces an increased risk of inappropriate disclosure ofPII or\ndestruction to the data in CMRS.\n\nAccording to the Privacy Act of 1974, each agency that maintains a system of records\nshall establish appropriate administrative, technical and physical safeguards to assure the\nsecurity and confidentiality of records and to protect against any anticipated threats or\nhazards to their security or integrity which could result in substantial harm,\nembarrassment, inconvenience, or unfairness to any individual on whom information is\nmaintained. NARA maintains a system of records for the automated CMRS and\ntherefore, is responsible for establishing appropriate controls to safeguard the\ninformation.\n\nData Stored in the System\n\nThe CMRS database includes all record requests submitted to NPRC since the system\nwent into operation in October 2002. Therefore, over seven million record requests were\nstored in the CMRS database. Although a records disposition schedule to delete requests\nin the CMRS database was approved, NPRC officials did not follow the schedule and\nsaved all requests. According to OMB Memorandum 07-16, one way to reduce the risk\nrelated to a data breach was to reduce the volume of collected and retained information to\nthe minimum necessary. Maintaining unnecessary record requests in the database\nincreases the potential damage that could be caused if a data breach were to occur since\neach record request contains PII.\n\nCMRS includes an online service request and record tracking database. This database\ntracks and processes both electronic and mail-based inquiries from receipt through\nfulfillment and closure. Upon receipt, new cases are input electronically and physical\ndocuments are converted into digital images. Information entered into the system\nincludes the requester\'s name, address, and phone number as well as the veteran\'s full\nname, social security number, date of birth, place of birth, and branch of service.\nFigure 1 is a view of the CMRS service request input screen to demonstrate the\ninformation entered into the system. While all personal information about the veteran\ndoes not have to be filled in, requesters are encouraged to provide as much information as\npossible in order to ensure the correct record is found. The CMRS database is archived\nto keep a permanent transaction record of the service provided.\n\n\n\n                                           Page 6\n                        National Archives and Records Administration\n\x0c                                                                                  OIG Audit Report No. 09-16\n\n\n\n\n     .\n .\n.\n\n  \xc2\xb7\xc2\xb7. \n\n\n\n\xc2\xb7\xc2\xb7 \n\n\n \xc2\xb7\xc2\xb7\xc2\xb7 \n\n\n    \xc2\xb7.\n. \n\n\n\n\n\n           Source: CMRS Concept of Operations\n\n                                   Figure 1. CMRS Service Request Input\n\n          As shown in Figure 1 above, the CMRS system contains all the information needed to\n          steal a veteran\'s identity. For example, if a veteran were to request a copy of the records\n          of their military service, the CMRS database would store their name, current address, and\n          phone number in the Requester Information fields, and their social security number, date\n          of birth and place of birth in the Veteran Information fields.\n\n          According to the Records Disposition Schedule:\n\n               \xe2\x80\xa2 \t Transaction data gathered and/or generated as the result of receiving and\n                   processing a customer request (including name of requester, name of veteran\n                   whose data is being requested, images of requester documentation, etc) should be\n                   cut off at the end of each fiscal year and can be destroyed 5 years after the cutoff.\n\n               \xe2\x80\xa2 \t Transaction data for access information (an extract of the live transaction data\n                   including name of veteran whose data is being requested, date requested, name of\n                   requester and associated records block) should be cut off at the end of each fiscal\n                   year. Data associated with these requests are exported to a "record of disclosure\n                   file" external to CMRS.\n\n          According to an NPRC official, completed record requests have not been removed from\n          CMRS because when working on cases, technicians often have to refer to previous\n          cases. However, one technician interviewed stated they do not use earlier cases in CMRS\n\n                                                      Page 7\n                                   National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\nbecause there is no way to search by case type to find how a similar request was\nanswered. In addition, the technician stated each record request is unique, and therefore\nearlier cases would not be very useful. Another technician stated they refer back to\nprevious cases in CMRS only when the case assigned is coded by CMRS as a duplicate.\nIn those instances, the technician stated they would review the prior case to determine\nwhy another request was submitted.\n\nA breach or loss involving this data could be very damaging financially and could erode\npublic confidence, potentially jeopardizing NPRC\'s ability to achieve its mission.\nAdditionally, if the breach constitutes a violation of relevant law, NPRC and/or its staff\nmay be subject to criminal or civil penalties.\n\nRecommendations\n\n1. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to export data for the "record of disclosure file" and follow the approved Records\nDisposition Schedule and limit the amount of record requests stored online.\n\nManagement Comments\n\nManagement concurred with the recommendation.\n\nPassword Configuration Weaknesses\n\nA usemame and password were needed to log into the CMRS system however, password\nrequirements were not in place to protect the confidentiality of passwords and prevent\nunauthorized access. This occurred because NPRC officials did not believe password\nrequirements were needed. NIST SP 800-53 requires information systems to uniquely\nidentify and authenticate users and NARA Interim Guidance 804-2, requires all\npasswords for unclassified systems must be at least 8 characters and include special\ncharacters such as punctuation marks or symbols. Weak passwords increase the risk that\nan unauthorized person could gain access to information stored in the system.\n\nUser authentication establishes the validity of a user\'s claimed identity. The most widely\nused means of authentication is through the use of passwords. However, passwords are\nnot conclusive identifiers of specific individuals since they may be guessed, copied,\noverheard, or shared. Therefore, additional controls are needed to protect the\nconfidentiality of passwords. NPRC officials did not implement necessary controls to\nprotect the confidentiality of CMRS passwords. Specifically:\n\n    \xe2\x80\xa2   ----Redacted pursuant to FOIA Exemption "high" b(2)----;\n\n    \xe2\x80\xa2   ----Redacted pursuant to FOIA Exemption "high" b(2)----;\n\n    \xe2\x80\xa2   ----Redacted pursuant to FOIA Exemption "high" b(2)----;\n\n    \xe2\x80\xa2   ----Redacted pursuant to FOIA Exemption "high" b(2)----;\n\n\n                                           Page 8\n                        National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 09-16\n\n\n    \xe2\x80\xa2   ----Redacted pursuant to FOIA Exemption "high" b(2)----; and\n\n    \xe2\x80\xa2   ----Redacted pursuant to FOIA Exemption "high" b(2)----.\n\n\n\n-------------------------Redacted pursuant to FOIA Exemption "high" b(2)--------------------\xc2\xad\n\n\n\nAccording to NPRC officials, stronger password requirements were not needed because\nphysical security controls at the facility would prevent an unauthorized user from gaining\naccess to a computer terminal at NPRC. In addition, a user would need to have a\nNARANET account and a Windows domain account in order to gain access to the\nsystem. While physical security controls and the need for a NARANET account provide\nadditional layers of security, these controls do not protect the confidentiality of the\npasswords. ----------------------------------------------~----------------------------------------------\n-------------------------Redacted pursuant to FOIA Exemption "high" b(2)--------------------\xc2\xad\n\n\n\nRecommendations\n\n2. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to establish and enforce password requirements within CMRS that are appropriate\nbased on the sensitivity of the information contained in the system and the need to protect\nthe integrity of the information.\n\nManagement Comments\n\nManagement concurred with the recommendation.\n\nAudit Response\n\nAlthough the Assistant Archivist concurred with the recommendation, discussions about\nthe draft report with management indicated the technical solution would not be\nimplemented until----Redacted pursuant to FOIA Exemption "high" b(2)----. We do not\nagree that implementation should be delayed until ----Redacted pursuant to FOIA\nExemption "high" b(2)----. The current CMRS system has the capabilities to enforce\npassword requirements therefore, ----Redacted pursuant to FOIA Exemption "high" b(2)\xc2\xad\n--- results in unnecessary risk to the confidentiality of data in the system.\n\nLeast Privilege\n\nOver 50 Data Entry Clerks were given full access to the entire CMRS database and over\n250 Core Technicians responding to record requests have the ability to view all requests\nin the database. This occurred because controls were not in place to enforce the most\nrestrictive set of rights and privileges needed by users in performing their jobs. As a\n\n                                              Page 9\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\nresult, information in the system was not protected against unauthorized access,\nmodification, loss, or disclosure.\n\nData Entry Clerks are responsible for entering data from record requests received by mail\ninto the CMRS system and then scanning a copy of the request which is saved as an\nattachment to the record request. In February 2009 there were 39 Data Entry Clerks as\nwell as an additional 18 employees that perform other duties at NPRC but work overtime\nin the mailroom as Data Entry Clerks. Data Entry Clerks were granted access to the\nentire database of record requests and had the ability to edit all record requests.\n\nAccording to an NPRC official, data entry clerks need access to the all service requests\nbecause occasionally, are-scan of the original record request is needed. In those\ninstances, a re-scan notice is received from the mailroom supervisor and the assigned data\nentry clerk is to retrieve the original service request from storage and re-scan the request.\nThe data entry clerk performing the re-scan is not always the original clerk who entered\nthe data. The ability of data entry clerks to edit all requests increases the risk that a data\nentry clerk could intentionally or unintentionally delete or modify any record requests.\nThe intentional or unintentional deletion or modification of incoming record requests\ncould severely impact operations at the NPRC.\n\nCore Technicians are responsible for reviewing the requests assigned to them,\ndetermining the information that should be provided and then responding to the request.\nWhile Core Technicians are only able to edit those requests assigned to them, the ability\nof more than 250 core technicians to view sensitive PH information in all requests stored\nin the system increases the risk of an inappropriate disclosure of data.\n\nRecommendations\n\n3. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to establish controls to restrict users to only those rights and views needed to\nperform their job.\n\nManagement Comments\n\nManagement concurred with the intent of the recommendation but believed that\nappropriate controls consistent with business needs have been in place since 2002.\nTherefore, the Assistant Archivist does not anticipate making any changes and will\naccept this business risk.\n\nAudit Response\n\nAlthough the Assistant Archivist concurred with the intent ofthe recommendation, we do\nnot agree with their plan to not take action to limit the set of rights and views of CMRS\nusers. NARA can safeguard the confidentiality of PH by ensuring that users who must\naccess records containing PH only have access to the minimum amount of PH data, along\nwith those privileges (i.e. read, write, execute) that are necessary to perform their duties.\n\n\n\n                                          Page 10\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\nReview of System User Accounts\n\nWe identified several user IDs no longer in use that had not been removed from the\nsystem. This occurred because periodic reviews of the user ID\'s were not adequate to\ndetect user accounts no longer needed. According to NIST SP 800-53, information\nsystem accounts should be reviewed at least annually. If user IDs no longer in use are not\nremoved promptly, information in the system is at a greater risk of unauthorized\ndisclosure.\n\nIn a review ofCMRS user accounts we identified seven generic user ID\'s including four\nwith administrative access. We requested additional information from NPRC as to what\nthe accounts were used for. We also identified four NARA IT employees who had user\naccounts but no longer required access to the system. One of the four employees retired\nfrom NARA in January 2008 and returned to NARA as a contractor in February 2008 but\ntheir user ID was not removed even though access to CMRS was no longer needed.\nAccording to an NPRC official, a total of eight user ID\'s were no longer needed and\nwould be deleted.\n\nAccording to an NPRC official, they are not able to delete user accounts in CMRS but\nthey are able to remove the "views" assigned to that person. The CMRS contractor is\nresponsible for deleting the CMRS database account. According to the NPRC official,\nthe eight user IDs that were determined to no longer be needed were probably\nestablished when the system was first developed and NPRC officials were not notified\nthat the user accounts were no longer needed.\n\nRecommendations\n\n4. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to review all application and database users at least annually.\n\nManagement Comments\n\nManagement concurred with the recommendation.\n\nControls over Data Extracts Containing Sensitive PH\n\nCMRS users were not restricted from performing extracts of the database which could\ncontain sensitive PH and ----Redacted pursuant to FOIA Exemption "high" b(2)----. In\naddition, the creation of computer-readable extracts from CMRS containing PH ---\xc2\xad\nRedacted pursuant to FOIA Exemption "high" b(2)----. This occurred because 1) ---\xc2\xad\nRedacted pursuant to FOIA Exemption "high" b(2)----; 2) ----Redacted pursuant to FOIA\nExemption "high" b(2)----; and 3) ----Redacted pursuant to FOIA Exemption "high"\nb(2)----. OMB Memorandum 06-16 required ----------------------------------------------------\xc2\xad\n-----------------------Redacted pursuant to FOIA Exemption "high" b(2)----------------------\xc2\xad\n--------------------- Without ----Redacted pursuant to FOIA Exemption "high" b(2)----,\nveteran\'s data is at an increased risk of disclosure.\n\n\n                                          Page 11\n                        National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 09-16\n\n\nA computer-readable data extract from a database involves retrieving data from a\ndatabase through a query and saving the data into a separate computer-readable entity\nsuch as another database, a spreadsheet, or a text file. According to an NPRC official,\nevery CMRS user has the ability to perform a query of information in the CMRS\ndatabase, which includes sensitive PII. -----------------------------------------------------------\xc2\xad\n--------------------Redacted pursuant to FOIA Exemption "high" b(2)----.\n\nAccording to a CMRS official, they were aware of only two extracts of the CMRS\ndatabase where information was queried and then saved to a CD. The CMRS official\nstated that these extracts were provided to the Marine Corps in July 2008 and January\n2009. The extracts were logged by the CMRS official using email however, the official\nwas only able to provide emails relating to the second data extract due to the loss of their\nemail archives. Therefore, email should not be used as a means of tracking data extracts.\n\n\n---------------------Redacted pursuant to FOIA Exemption "high" b(2)------------------------\xc2\xad\n\n\n\nRecommendations\n\n5. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to limit users\' ability to perform extracts of the database containing sensitive\ninformation or remove access to CD burners and thumb drives.\n\nManagement Comments\n\nManagement concurred with the intent ofthe recommendation stating system\nstakeholders are reviewing options for a technical and non-technical solution.\n\n6. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to ----------------------------------------------------------------------------------------------\xc2\xad\n---------------------Redacted pursuant to FOIA Exemption "high" b(2)----.\n\nManagement Comments\n\nManagement concurred with the intent of the recommendation stating that they will\nreview options for a solution that will be tied to the technical refresh. The solution will\ntake into consideration technical feasibility, cost, and performance implications.\n\nProtection of Data Stored on Mobile Devices\n\nCMRS backup tapes containing sensitive information were not encrypted before they\nwere sent to an offsite storage facility or shipped to NPRC. This occurred because\nNARA did not have an encrypted file system. OMB 06-16 requires agencies to encrypt\nall data on mobile devices which carry agency data unless the data is determined to be\n\n\n                                             Page 12\n                           National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 09-16\n\n\nnon-sensItIve. If sensitive data is not encrypted, NARA faces an increased risk that the\ninformation could be disclosed to unauthorized individuals if the tapes are lost or stolen.\n\nThe intent of encrypting mobile devices is to protect sensitive information when it is\nremoved from the agency\'s secured physical perimeter. According to a NARA Privacy\nOfficial, encryption of mobile devices includes backup tapes since the tapes are removed\nfrom the facility. Weekly full backups of the CMRS system are made and then sent to an\noffsite storage facility. In addition, backup tapes of closed record requests are shipped\nperiodically to NPRC in St. Louis for storage. None of the backup tapes were encrypted.\n\nAccording to an NH official, NARA is in the process of obtaining an encrypted file\nsystem. Until backup tapes are encrypted, sensitive data on the backup tapes are\nvulnerable to loss or theft while in transit to the offsite storage facility and to NPRC.\n\nRecommendations\n\n7. The Assistant Archivist for Information Services should encrypt backup tapes\ncontaining PH as required by OMB Memorandum 06-16.\n\nManagement Comments\n\nManagement concurred with the intent of the recommendation stating controls related to\nprotecting PH with encryption are covered in NARA Directive 1608.9 and possible\nsolutions will be considered as part of the technical refresh.\n\nEncryption Used for Remote Access to the CMRS System\n\nCMRS contractors use NARA\'s Virtual Private Network (VPN) to remotely access the\nsystem servers and their workstations. However, weaknesses in NARA\'s VPN results in\nrisks to the confidentiality of the information accessed remotely. This occurred because\xc2\xad\n---------------------Redacted pursuant to FOIA Exemption "high" b(2)------------------------\xc2\xad\n-------------------------------------------------------------------. Without secure remote access,\ninformation transmitted may be disclosed to unauthorized parties.\n\nA VPN is a virtual network built on top of existing physical networks that can provide a\nsecure communications mechanism for data. According to NIST, VPNs are used most\noften to protect communications carried over public networks such as the Internet. One\nway organizations can protect the confidentiality of transmitted PH is to encrypt the\ncommunications. Any information that will cross over the VPN connection that is not to\nbe seen by non-VPN users should be encrypted to provide confidentiality protection for\nthat information.\n\nCMRS contractors use NARA\'s VPN to remotely access the system servers and their\nworkstations. According to the contractor, remote access is needed to perform routine\ntasks and respond to other issues after hours. However, weaknesses in NARA\'s VPN\nresults in risks to the confidentiality ofthe information accessed remotely. Specifically,\nthe ------------------------------------------------------------------------------------------------------\xc2\xad\n--------------------Redacted pursuant to FOIA Exemption "high" b(2)-------------------------\xc2\xad\n\n                                              Page 13\n                            National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 09-16\n\n\n\n\nAnother risk to the confidentiality of information transmitted over the VPN connection is\nthat CMRS contractors are ----Redacted pursuant to FOIA Exemption "high" b(2) ____ 3 --\xc2\xad\n___________________________ .4 Allowing -redacted- increases the risk of disclosure of data in\n\nCMRS because it allows ----Redacted pursuant to FOIA Exemption "high" b(2)----. ----\xc2\xad\n-------------------Redacted pursuant to FOIA Exemption "high" b(2)--------------------------\xc2\xad\n\n----------------------. According to the CMRS contractors, they could use a more secure\nprotocol to access the CMRS servers however, the protocol would have to be installed on\nevery server. ---------------------------Redacted pursuant to FOIA Exemption "high" b(2)-\xc2\xad\n\n\nCMRS contractors use the free version ---redacted--- to access the servers from their\ndesktop computers at NARA and to access their workstations when working remotely.\nThe contractor was aware of the security concerns involved ----Redacted pursuant to\nFOIA Exemption "high" b(2)---- but stated its use was approved by the Office of\nInformation Services (NH). According to the contractor, NH performed security scans on\nthe server configurations in 2004 and did not disallow its use therefore, they continue to\nuse it. According to ----------------------Redacted pursuant to FOIA Exemption "high"\nb(2)------------------ is unencrypted and anything typed into the viewer passes "in the\nclear" to the server. While the free edition may be suitable for use within NARANET or\nwith a secure VPN, it should not be used in conjunction with NARA\'s VPN to access\nsensitive information contained in the CMRS system. CMRS officials should either -----\xc2\xad\n-----Redacted pursuant to FOIA Exemption "high" b(2)------------- to ensure information\ntransmitted remotely is not disclosed to unauthorized parties.\n\nUse of ----Redacted pursuant to FOIA Exemption "high" b(2)---- was recorded as a\nweakness on the ----Redacted pursuant to FOIA Exemption "high" b(2)----. The\nweakness was listed as "ongoing" with an original scheduled completion date of May 31,\n2007. Due to the sensitivity of information contained in the CMRS system, ----Redacted\npursuant to FOIA Exemption "high" b(2)----.\n\nRecommendations\n\n8. The Assistant Archivist for Information Services should use encryption that is FIPS\n140-2 certified for the VPN.\n\n9. The Assistant Archivist for Information Services should remove ----Redacted pursuant\nto FOIA Exemption "high" b(2)----from the CMRS servers and install a more secure\nprotocol.\n\n\n\n\n3   ----Redacted pursuant to FOIA Exemption "high" b(2)----.\n4   ----Redacted pursuant to FOIA Exemption "high" b(2)----.\n\n                                               Page 14\n                             National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 09-16\n\n\n10. The Assistant Archivist for Infonnation Services should determine whether use of --\xc2\xad\n-Redacted pursuant to FOIA Exemption "high" b(2)---- is needed, and if so, upgrade to a\nmore secure verSIOn.\n\nManagement Comments\n\nManagement concurred with the recommendations.\n\nUnresolved Server Security Vulnerabilities\n\nThe quarterly vulnerability scan of the CMRS servers in February 2009 identified:\n\n   \xe2\x80\xa2 \t 18 critical confinned vulnerabilities that allow ----Redacted pursuant to FOIA\n       Exemption "high" b(2)----. Examples are the ability to -------------------------------\xc2\xad\n       ------------------Redacted pursuant to FOIA Exemption "high" b(2)------------------\xc2\xad\n\n\n   \xe2\x80\xa2 \t 21 high confinned vulnerabilities that ---------------------------------------------------\xc2\xad\n       ---------------Redacted pursuant to FOIA Exemption "high" b(2)----. Examples are\n       ---------------Redacted pursuant to FOIA Exemption "high" b(2)---------------------\xc2\xad\n       ----------------------------------------------------------------------------------; and\n\n   \xe2\x80\xa2 \t 107 medium confinned and potential warnings that have the potential of granting\n       access or allowing code execution by means of ------------------Redacted pursuant\n       to FOIA Exemption "high" b(2)------------------------. Examples are -----------------\xc2\xad\n       ---------------------------Redacted pursuant to FOIA Exemption "high" b(2)---------\xc2\xad\n\nThe confinned vulnerabilities represent exploitable security problems that compromise\nconfidentiality, integrity and availability. These vulnerabilities result in security\nweaknesses that must be fixed. As of June 2009, action had not been taken to correct\nthese vulnerabilities. This was because the CIO\'s office believed the results were not\naccurate and because there was difficulty in tracking the IP addresses noted on the reports\nto the actual equipment. Delays in investigating these vulnerabilities could severely\nimpact the confidentiality, integrity and availability ofthe CMRS system.\n\nRecommendation\n\n11. The Assistant Archivist for Infonnation Services should review these vulnerabilities\nand detennine whether action is needed.\n\nManagement Comments\n\nManagement concurred with the recommendation.\n\n\n\n\n                                          Page 15\n                        National Archives and Records Administration\n\x0c                                                                       Draft DIG Audit Report No. 09-16\n\n\nVerification for Next of Kin Requests\n\nNPRC does not require technicians to perform any verification to confirm that the veteran\nis deceased before releasing records to next-of-kin requests. NPRC officials stated\nthat DoD has not provided any additional funding to cover the cost of making these\nverifications, and therefore no changes have been made. The DoD Privacy Office stated\nthat if the personnel file does not reflect that the member is deceased, the individual\nrequesting such access should be required to provide reasonable proofthat the member is\ndeceased. In addition, the SF-180 form instructions state that for next of kin requests, the\nrequester must provide proof of death. IfNPRC does not perform proper verification,\nindividuals may be granted unauthorized access to military personnel records.\n\nThe SF-180 form is used to request information from military records. Release of the\ninformation is subject to restrictions imposed by the military services consistent with\nDoD regulations and the provisions of the Freedom of Information Act and the Privacy\nAct of 1974. A veteran\'s next of kin can only request a record if the veteran is deceased\nhowever, NPRC does not require the requester to submit proofthat the veteran is\ndeceased. The instructions on the SF-180 5 states that for next of kin requests, the\nrequesters must provide proof of death, such as a copy of a death certificate, letter from\nfuneral home or obituary. However, NPRC does not enforce this requirement.\nAccording to the NPRC 2008 Annual Assurance Statement, when responding to requests\nfrom the next of kin of deceased veterans, NPRC accepts the requester\'s signature as\ncertification that they are authorized requesters.\n\nThe Department of Defense Privacy Office sent a letter to the NPRC Director in\nNovember 2007 regarding the release of records to the next of kin (NOK) when the NOK\nreports that a former member is deceased. According to the Defense Privacy Office, it is\nessential that both the relationship to the individual and proof of death be established\nbefore providing access and/or releasing the record to the NOK. If the military personnel\nfile does not reflect the requester as a NOK, then the individual should be required to\nprovide reasonable proof of his or her identity and relationship to the individual.\nSimilarly, the Defense Privacy Office states that ifthe personnel file does not reflect that\nthe member is deceased, the individual requesting such access should be required to\nprovide reasonable proof that the member is deceased.\n\nThe NPRC Director estimated that approximately 15 additional people would need to be\nhired to review the NOK requests and obtain the required documentation to verify the\nveteran was deceased and establish the relationship of the requester to the veteran. The\ncost of this change along with other changes mentioned by the Defense Privacy Office\nwas estimated to be $8.5 million annually. Therefore, the Director proposed an\nalternative solution which he determined would cost significantly less. The alternative\nwas to require verification of the veteran\'s death but continue to use the perjury statement\nand technician review to establish the NOK relationship. According to the NPRC\n\n\n\n5The requirement for requesters to provide proof of death was added in the September 2008 revision of the\nSF-180 form.\n\n                                             Page 16\n                           National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 09-16\n\n\nDirector, the Defense Privacy Office never responded to his letter and did not fund the\ncost of making these verifications therefore, no changes have been made to the process.\n\nThe Privacy Act states that agencies are not to disclose of any record to any person or to\nanother agency without a written request by or with the prior written consent of the\nindividual to whom the record pertains6\xe2\x80\xa2 One core Technician interviewed stated that for\nNOK requests they would review the social security index or the Department of Veterans\nAffairs Beneficiary Identification Records Locator Subsystem (BIRLS) database to verify\nwhether a veteran was deceased before responding to a NOK request. NPRC should\nensure that the NOK requesting records has the proper documentation in order to prevent\nunauthorized access to military personnel records.\n\nRecommendations\n\n12. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to issue policy that requires technicians to verify that the veteran is deceased\nbefore providing military records to a next of kin.\n\nManagement Comments\n\nManagement concurred with the recommendation.\n\n\n\nAdditional Safeguards Needed to Protect PH in Paper Form\n\nAlthough controls were in place to protect military records stored in the stack areas, over\n40,000 military records were left out in the office areas overnight and the Facility\nManager was unsure as to how many individuals had a copy of the master key needed to\nopen these doors. This occurred because keys were not returned when individuals left\nand annual key inventories were not conducted. According to NARA 271, NPRC should\nhave a key control plan to maintain a high level of security at the facility. Specifically, a\nKey Control Officer should determine which keys, based on need, to issue to each\nemployee, and carry out or oversee completion of the required inventories of keys issued\nand retained. Without proper key control, NPRC risks unauthorized access to military\nrecords or disclosure of PII.\n\nNARA Directive 1608 states that if staff collect, maintain, or disseminate PH in the\ncourse of performing their duties, they must ensure that the information is properly\nprotected. During normal business hours, maintain information in areas accessible only\nto authorized individuals. After business hours, offices that collect or maintain PH must\nbe locked. When not in use, paper based records containing PH must be stored in\nlocked cabinets.\n\n\n\n6 The Privacy Act contains twelve conditions on which information could be disclosed without the consent\nof the individual. For example, records could be disclosed pursuant to the order of a court of competent\njurisdiction.\n\n                                             Page 17\n                           National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-16\n\n\nStaff at NPRC collect, maintain, and disseminate PH in the course of performing their\nduties. Therefore, PH is throughout NPRC offices and because of the nature of the\noperations, there are substantial amounts of it. On March 26, 2009, there were\napproximately 29,000 records in the Record Retrieval Area waiting to the re-filed and\napproximately 15,000 records out in the Core Technician areas.\n\nFor example, stacks of incoming mail with veteran\'s record requests were located in the\nmailroom. As shown in Figure 2, completed record requests were also kept in the\nmailroom, waiting for pickup by the U.S. Postal Service (USPS). Completed requests\nreceived after the USPS pickup would be stored in the mailroom overnight. According to\na mailroom supervisor, the doors to the mailroom are closed and locked when the last\nperson leaves for the day.\n\n\n\n\n                     Photo Taken by NPRC\n\n                     Figure 2. NPRC Record Request Responses.\n\nEach Core Technician has a cubicle with a desk and a cart (see Figures 3 and 4). The cart\nis used to organize the OMPF\'s ofthe cases they are working on. Core Technicians do\nnot secure PH located on their desk or cart when they are away from their desk or when\nthey leave for the day. Instead, the doors to the area were closed and locked.\n\n\n\n\n                                         Page 18\n                       National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 09-16\n\n\n\n\nPhoto Taken by NPRC                                     Photo Taken by NPRC\n\nFigure 3. Core Technician Desk Cart                      Figure 4. Core Technician Cubicles\n\n\n\nIn the Records Retrieval Branch there were carts full of military records waiting to be re\xc2\xad\nfiled (as shown in Figure 5 and 6). The doors into the Record Retrieval Branch were\nclosed and locked by the last person to leave.\n\n\n\n\nPhoto Taken by NPRC\n\n                      Figure 5. OMPFs Returned and Waiting to be Re-filed.\n\n\n\n\n                                               Page 19\n                             National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 09-16\n\n\n\n\nPhoto Taken by NPRC\n\n                      Figure 6. Staff organizing OMPFs to be re-filed.\n\nBased on the office layout at NPRC, it was not possible for all the records to be stored in\nlocked cabinets as required by NARA Directive 1608. In addition, an NPRC official\nstated that they would not want technicians to be able to lock up records in their desks.\n\nThe -redacted-- key opens all the doors to these office areas. For example, a mailroom\nemployee would be able to unlock the door and obtain access to the Records Retrieval\nBranch. The Facility Manager stated he performed a key inventory in 2005 and\nestimated there were ----redacted---- keys. However, the key inventory consisted of\nsending an email to each of the core managers and asking them to report how many keys\nthey had issued to their staff therefore, additional master keys may exist. According to\nthe facility manager, no keys have been turned back in to him since he performed the key\ninventory in 2005. The facility manager believed that instead of turning in keys to his\noffice when staff leave, supervisors keep the key to hand out to the next person.\n\nPhysical access controls are designed to protect the organization from unauthorized\naccess. These controls should limit access to only those individuals authorized by\nmanagement. Further, all keys should be accounted for and not left with former\nemployees or contractors. Without adequate key control, NPRC is vulnerable to physical\naccess exposures including damage, vandalism or theft of equipment; copying or viewing\nof sensitive information; and alteration of sensitive equipment and information. Possible\nthreats include employees with authorized or unauthorized access who are disgruntled,\nthreatened by disciplinary action or dismissal, addicted to a substance or gambling,\nexperiencing financial or emotional problems, or notified of their termination.\n\nNPRC will be moving to a new facility in 2010 however, in the interim, a key control\ninventory of the NARA10 key and any other master keys should be conducted.\n\n\n\n                                            Page   20\n                          National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 09-16\n\n\nRecommendations\n\n13. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to conduct a key inventory of the -redacted-- key and any other master keys in\nuse at NPRC to ensure all keys are accounted for.\n\nManagement Comments\n\nManagement concurred with the recommendation stating that the required key inventory\nhas been completed.\n\n\n\nPaper Recycling\n\nNPRC used contractor-witnessed pulping to dispose of its waste paper containing PII and\ndid not shred paper prior to pickup by the contractor. This occurred because NPRC did\nnot have shredders with the capacity to handle the volume of paper with PII being\nrecycled and because NPRC officials decided to treat paper with PII in the same manner\nin which restricted records center holdings are disposed. NARA Directive 1608 requires\nstaffwho collect, maintain, or disseminate PII in the course of performing their duties,\nto properly destroy materials containing PII. As a result, NPRC waste paper containing\nPII may be disclosed to unauthorized individuals and due to the sensitivity of information\ncontained on the paper, could lead to identity theft.\n\nAccording to NARA Directive 1608, if staff collect, maintain, or disseminate PII in the\ncourse of performing their duties, they must ensure the information is properly protected.\nSpecifically, NARA staff are to properly destroy materials containing PII by shredding,\nburning, deleting or other authorized destruction methods that ensures the data or record\nis unreadable or unrecoverable.\n\nNPRC has a recycling contract for disposal of their paper. NPRC decided to enter into\ntheir own contract, separate from GSA, because so much of the paper they recycle has\nPII. For example, all record requests received in the mail are recycled. Information that\nmay be included on the record request form include the veteran\'s: full name, social\nsecurity number (SSN), service number (SN), place of birth, and date of birth. In\naddition, the CMRS system prints out Search Request forms (shown in Figure 7 below)\nwhich may include the veteran\'s name, SSN, SN, place of birth and date of birth. These\npapers are placed into large yellow bins to be recycled (see Figure 8 below).\n\n\n\n\n                                         Page 21\n                       National Archives and Records Administration\n\x0c                                                                                             OIG Audit Report No. 09-16\n\n\n\n\n    !\'mil}\'   Roullt\\f\n    Sou"", Rou1lruo\n    ~I\xc2\xa5:          s.pa-.o..\n    S_TjO<:       1"_\n    Non.Reg!s1ry Siock;                                         J.2MI\'A2S9\n    RegiSlly Number:\n\n\n\n    ti~g Veteran\'s NiIIIIe: \xe2\x80\xa2            ----l\n    SRV9leran\'s Name:.-                        \xe2\x80\xa2\n                                r~""\n                         SSN:   ,,::..--..J\n                         ooa;_                                               S\n                         ?OS:\n                 SSNISVtt~\'                           Core: Core 1 \n         E\n              SoriiOO Code: AR\n         Soriice Nomber.\n                                                     Team: Team E \n          P\n                                                                             D\n    Figure 7. Example of a Search Request                                            Figure 8. Paper Recycle Bin\n\nAccording to the contract, the method of destruction would be repulping and a\nrepresentative of the contractor would witness the loading and sealing of the enclosed van\ntrailer, which would be sent to a recycling mill in Oklahoma. According to the contract,\nonce the contractor receives written notification the material has been destroyed through\nthe process ofre-pulping, a Certificate of Destruction is issued. The contract does not\nspecify that a representative from the contractor will witness the destruction of the paper,\nonly the loading and sealing of the truck at NPRC. Although the Performance Work\nStatement states that the government has the right to send its representatives into the\noffices and plants of the contractor of those facilities utilized by the contractor for\ndestruction for the purpose of verifying terms of the agreement are met, NPRC officials\nhave not inspected the re-pulping facility since the issuance of the contract.\n\nAn NPRC official stated that some managers have shredders in their offices which they\nuse for shredding personal and/or sensitive materials, but because so much of the NPRC\noffice waste includes PH it is handled in the same manner in which the disposal of\nrestricted records center holdings are handled; witness disposal by pulping in accordance\nwith NARA 1464 "Destruction of Federal Records in the Custody ofNARA Records\nCenters." According to NARA 1464, if the records are restricted, the wastepaper\ncontractor must be required to pulp, macerate, or shred the records, and their destruction\nmust be witnessed by either a Federal employee or, if authorized by the agency that\ncreated the records, by a contractor employee.\n\nRecommendations\n\n14. The Assistant Archivist for Regional Records Services should direct the Director,\nNPRC, to periodically inspect the recycling mill to ensure requirements ofthe contract\nare being met and that the sealed truck is stored in a secure area until the paper can be\nrecycled.\n\n                                                                Page 22\n                                              National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 09-16\n\n\nManagement Comments\n\nManagement concurred with the recommendation.\n\n\n\n\n                                       Page 23\n                     National Archives and Records Administration\n\x0c                                                                                       Attachment 1\n\n                   National Archives and Records Administration\n                                                                                         8601 Adelphi Road\n                                                                        College Park, Maryland 20740-6001\n\n\nDate;      September 30, 2009\n\nTo;        Office of the Inspector General (OIG)\n\nFrom;      Policy and Planning Staff (NPOL)\n\nSubject:  OIG Draft Report No. 09-16, Draft Audit ofNARA\'s Processing of Military Personnel\nRecord Requests (CMRS)\n\n           Thank you for the opportunity to review and comment on this draft audit report. We\n           appreciate the efforts of your staff and all parties associated with the audit process. This\n           memo contains the combined comments ofNR, NH, and NGC. We concur with the majority\n           ofthe 14 recommendations as detailed beloW and we appreciate the auditor\'s willingness to\n           work with the language in the audit and recommendations.\n\n           We concur with recommendations 1,2,4,8,9, 10, 11, 12, and 14, some of which require a\n           technical solution. We will include additional information on these in our action plan. We\n           also concur with recommendation 13. NR notes that the required key inventory has been\n           completed.\n\n           We concur with the intent of recommendation 3. However, appropriate controls consistent\n           with NR business needs have been in place since 2002. No changes are anticipated, and\n           management will accept this business risk in our action plan.\n\n           We concur with the intent of recommendation 5. There are business reasons for performing\n           extracts of data in the system, and controls are covered in NARA 1608, Protection of\n           Personally Identifiable Information. System stakeholders are reviewing options for a\n           technical and non-technical solution.\n\n           We concur with the intent of the recommendation 6. System stakeholders will review options\n           for a solution that will be tied to the technical refresh. The solution will take into\n           consideration technical feasibility, cost, and performance implications.\n\n           We concur with the intent of recommendation 7. Controls related to protecting PI! with\n           encryption are covered in NARA 1608.9. Possible solutions will be considered as part of the\n           technical refresh.\n\n           If you have questions about these comments, please contact Mary Drak at 301-837-1668 or by\n           email at mary.drak@nara.gov.\n\n\n        d~Qska~ \n\n           SUSAN M. ASHTIANIE\n           Director, Policy and Planning Staff\n\n\n\n                                  NARA\'s web site is http://www.archives.gov\n\x0c'